English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsNet-Worm.Win32.Sasser.c

Net-Worm.Win32.Sasser.c

Detected May 03 2004 16:08 GMT
Released May 03 2004 16:08 GMT
Published May 11 2004 09:29 GMT

Technical Details

This worm spreads via the Internet exploiting a vulnerability in Microsoft Windows LSASS. The vulnerability is described in Microsoft Security Bulletin MS04-11

The patch for this vulnerability was released on 13th April 2004. The first example of the worm was detected 30th April 2004.

The worm works in a way very similar to Lovesan, which appeared in August 2003. Lovesan exploited a similar vulnerability in Windows RPC DCOM service.

Machines running Windows 2000/XP/2003 Server are vulnerable to infection. The worm can function in other versions of Windows, but is incapable of using the vulnerability to penetrate machines from the outside.

The worm is written in C/C++ using Visual C compiler. It is approximately 16KB in size, and packed using PECompact 2.

Signs of infection:

  • a file named skynetave.exe in the Windows directory
  • an error message about LSASS service failure which will then lead to the system rebooting

How Sasser.c differs from Sasser.b

The worm file has a different name: skynetave.exe instead of avserve.exe. Correspondingly, the system registry entry will be different.

The mutex has also been changed, to SkynetSasserVersionWithPingFast.

When attacking a remote machine the worm launches a remote shell on port TCP 9995.

Before sending the exploit to the victim machine, the worm sends a preliminary ICMP request.



Print
Bookmark and Share
Share
Viruses and worms
Net-Worm

Net-Worms propagate via computer networks. The distinguishing feature of this type of worm is that it does not require user action in order to spread.

This type of worm usually searches for critical vulnerabilities in software running on networked computers. In order to infect the computers on the network, the worm sends a specially crafted network packet (called an exploit) and as a result the worm code (or part of the worm code) penetrates the victim computer and activates. Sometimes the network packet only contains the part of the worm code which will download and run a file containing the main worm module. Some network worms use several exploits simultaneously to spread, thus increasing the speed at which they find victims.


Other versions
Net-Worm.Win32.Sasser.a
Net-Worm.Win32.Sasser.b
Net-Worm.Win32.Sasser.d

Aliases

Net-Worm.Win32.Sasser.c (Kaspersky Lab) is also known as:

  • Worm.Win32.Sasser.c (Kaspersky Lab)
  • W32/Sasser-D (Sophos)
  • Worm.Sasser.d (ClamAV)
  • Adware/Lop (Panda)
  • W32/Sasser.D (FPROT)
  • Worm:Win32/Sasser.dam (MS(OneCare))
  • Win32.HLLW.Jobaka.4 (DrWeb)
  • Net-Worm.Win32.Sasser.c (Ikarus)
  • WORM/Sasser.D (AVIRA)
  • Suspicious_Gen2.DKGZY (Norman)
  • Net-Worm.Win32.Sasser.c [AVP] (FSecure)

© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search